Hi Scott, Thanks for the reply. Yes, you are right, my single sign on session is still enabled. I know we could specify a global session timeout for all casified apps by modifying ticketExpirationPolicies.xml. However, if I have app1 and app2, both of them casified, and for app1 I want to configure session timeout as 5 minutes and for app2 I want to configure session timeout as 10 minutes. How do I implement that?
My understanding is that when app1 timeout for being inactive for 5 minutes, to totally log the user out, I have to invalidate its service ticket, and actually call cas logout (otherwise when the user open a new tab in the same browser and try to access secured page in app1, he is still able to get there without being reauthenticated). However, if I log the user out of app1 by calling CAS logout, the user will be log out of app2 as well supposed he/she has another tab that is browsing app2. Please advise. Thanks so much! Xuejin scott_battaglia wrote: > > Most likely your single sign on session is still enabled, since its > completely independent of an application's session, and you're just being > automatically logged back into the application. > > > On Wed, Jun 10, 2009 at 5:07 PM, Xuejin Ruan <[email protected]> > wrote: > >> >> I have an appliction implementing Spring Security with CAS. I am trying >> to >> set session time out in web.xml file so that when the application is >> inactive for certain minutes, it will trigger session timeout and the >> user >> need to be reauthenticated. Without integrating the application with CAS, >> session timeout works fine for Spring Security as expected. However, >> after >> integrating it with CAS, session timeout doesn't seem to be working, and >> I >> could still navigate to secured page even after the page being inactive >> for >> more than the time I set in session timeout config. >> >> What I did was to define the following in web.xml file (examples provided >> in >> http://idms.rutgers.edu/cas/sample_spring_security.shtml): >> >> <listener> >> >> >> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> >> </listener> >> ...... >> <session-config> >> <session-timeout>1</session-timeout> >> </session-config> >> >> Am I missing anything? >> >> Thanks in advance for any advice. >> >> Xuejin >> >> Below is my web.xml: >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> <?xml version="1.0" encoding="UTF-8"?> >> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee >> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> >> >> <display-name>Spring Security Tutorial Application</display-name> >> >> <context-param> >> <param-name>contextConfigLocation</param-name> >> <param-value> >> classpath:applicationContext-business.xml >> classpath:gov/pc/portal/springsecurity/spring.xml >> /WEB-INF/applicationContext-security.xml >> </param-value> >> </context-param> >> >> <context-param> >> <param-name>log4jConfigLocation</param-name> >> <param-value>/WEB-INF/classes/log4j.properties</param-value> >> </context-param> >> >> <context-param> >> <param-name>webAppRootKey</param-name> >> >> >> <param-value>C:\apache-tomcat-6.0.18\apache-tomcat-6.0.18\webapps\SpringSecurityAnotherTest\</param-value> >> </context-param> >> >> >> <filter> >> <filter-name>springSecurityFilterChain</filter-name> >> >> >> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> >> </filter> >> >> <filter-mapping> >> <filter-name>springSecurityFilterChain</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <listener> >> >> >> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> >> </listener> >> >> >> <listener> >> >> >> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> >> </listener> >> >> <listener> >> >> >> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> >> </listener> >> >> <servlet> >> <servlet-name>bank</servlet-name> >> >> >> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> >> <load-on-startup>1</load-on-startup> >> </servlet> >> >> <servlet-mapping> >> <servlet-name>bank</servlet-name> >> <url-pattern>*.html</url-pattern> >> </servlet-mapping> >> >> <!-- Test on session timeout configuration --> >> <session-config> >> <session-timeout>1</session-timeout> >> </session-config> >> >> <welcome-file-list> >> <welcome-file>index.jsp</welcome-file> >> </welcome-file-list> >> >> </web-app> >> ~~~~~~~~~~~~~~~~~~~~~~~ >> >> Below is applicationContext-security.xml: >> >> *************************** >> <?xml version="1.0" encoding="UTF-8"?> >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:sec="http://www.springframework.org/schema/security"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:p="http://www.springframework.org/schema/p"; >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd >> http://www.springframework.org/schema/security >> http://www.springframework.org/schema/security/spring-security-2.0.xsd";> >> >> <sec:http entry-point-ref="casProcessingFilterEntryPoint"> >> <sec:intercept-url pattern="/secure/extreme/**" >> access="ROLE_SUPERVISOR" >> requires-channel="https"/> >> <sec:intercept-url pattern="/secure/**" access="ROLE_USER" /> >> <sec:intercept-url pattern="/listAccounts.html" >> access="IS_AUTHENTICATED_REMEMBERED" /> >> <sec:intercept-url pattern="/post.html" access="ROLE_TELLER" /> >> <sec:logout >> logout-success-url="https://DPRG110.ad.co.pierce.wa.us:8443/cas/logout"/> >> <sec:concurrent-session-control max-sessions="1" >> exception-if-maximum-exceeded="true"/> <!--This will only allow one user >> to >> login at one time--> >> </sec:http> >> >> >> <sec:authentication-manager alias="authenticationManager"/> >> >> <!--CAS --> >> >> <bean id="casProcessingFilterEntryPoint" >> class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> >> <property name="loginUrl" >> value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/login"/> >> <property name="serviceProperties" ref="serviceProperties"/> >> </bean> >> >> <bean id="serviceProperties" >> class="org.springframework.security.ui.cas.ServiceProperties"> >> <property name="service" >> value=" >> https://DPRG110.ad.co.pierce.wa.us:8443/SpringSecurityTest/j_spring_cas_security_check >> "/> >> <property name="sendRenew" value="false"/> >> </bean> >> >> >> <bean id="casAuthenticationProvider" >> >> class="org.springframework.security.providers.cas.CasAuthenticationProvider"> >> <sec:custom-authentication-provider /> >> <property name="userDetailsService" ref="userService"/> >> <property name="serviceProperties" ref="serviceProperties" /> >> <property name="ticketValidator"> >> <bean >> class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> >> <constructor-arg index="0" >> value="https://DPRG110.ad.co.pierce.wa.us:8443/cas"; /> >> <property name="proxyGrantingTicketStorage" >> ref="proxyGrantingTicketStorage" /> >> <property name="proxyCallbackUrl" >> value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/secure/receptor"; /> >> </bean> >> </property> >> <property name="key" value="changeit"/> >> </bean> >> >> <bean id="casProcessingFilter" >> class="org.springframework.security.ui.cas.CasProcessingFilter" >> p:authenticationManager-ref="authenticationManager" >> p:authenticationFailureUrl="/index.jsp" >> p:alwaysUseDefaultTargetUrl="false" >> p:filterProcessesUrl="/j_spring_cas_security_check" >> p:defaultTargetUrl="/" > >> <sec:custom-filter after="CAS_PROCESSING_FILTER"/> >> </bean> >> >> >> <bean id="proxyGrantingTicketStorage" >> class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> >> >> <sec:authentication-provider user-service-ref="userService" /> >> >> <!-- Password Encoder --> >> <bean id="passwordEncoder" >> >> class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/> >> >> <bean id="userService" >> class="gov.pc.portal.springsecurity.PortalUserService"> >> <property name="dataSource" ref="portalDataSource"/> >> <property name="applicationId" value="107"/> >> </bean> >> </beans> >> >> >> >> -- >> View this message in context: >> http://www.nabble.com/Session-timeout-for-Spring-Security-with-CAS-tp23971062p23971062.html >> Sent from the CAS Users mailing list archive at Nabble.com. >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- View this message in context: http://www.nabble.com/Session-timeout-for-Spring-Security-with-CAS-tp23971062p23985416.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
